CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,797 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 44 of 76
- CVE-2023-40309CRITICALCVSS 9.8EG 9.82023-09-12
SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of…
- CVE-2023-40315MEDIUMCVSS 5.3EG 5.32023-08-17
In OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 and related Meridian versions, any user that has the ROLE_FILESYSTEM_EDITOR can easily escalate their privileges to ROLE_ADMIN or any other role. The solution is to upgrade to Mer…
- CVE-2023-40610MEDIUMCVSS 6.3EG 6.32023-11-27
Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset's metadata data…
- CVE-2023-40611MEDIUMCVSS 4.3EG 4.32023-09-12
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configura…
- CVE-2023-40829HIGHCVSS 7.5EG 7.52023-10-12
There is an interface unauthorized access vulnerability in the background of Tencent Enterprise Wechat Privatization 2.5.x and 2.6.930000.
- CVE-2023-4107MEDIUMCVSS 6.5EG 6.72023-08-11
Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name.
- CVE-2023-41077MEDIUMCVSS 5.5EG 5.52023-10-25
An app may be able to access protected user data. This issue is fixed in macOS Sonoma 14, macOS Ventura 13.6.1. The issue was addressed with improved checks.
- CVE-2023-41078MEDIUMCVSS 5.5EG 5.52023-09-27
An authorization issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14. An app may be able to bypass certain Privacy preferences.
- CVE-2023-41314HIGHCVSS 8.2EG 8.22023-12-18
The api /api/snapshot and /api/get_log_file would allow unauthenticated access. It could allow a DoS attack or get arbitrary files from FE node. Please upgrade to 2.0.3 to fix these issues.
- CVE-2023-41779MEDIUMCVSS 5.5EG 4.42024-01-03
There is an illegal memory access vulnerability of ZTE's ZXCLOUD iRAI product.When the vulnerability is exploited by an attacker with the common user permission, the physical machine will be crashed.
- CVE-2023-41882MEDIUMCVSS 4.3EG 5.42023-10-11
vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaborati…
- CVE-2023-4194MEDIUMCVSS 5.5EG 5.52023-08-07
A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomple…
- CVE-2023-41994MEDIUMCVSS 5.5EG 5.52024-01-10
A logic issue was addressed with improved checks This issue is fixed in macOS Sonoma 14. A camera extension may be able to access the camera view from apps other than the app for which it was granted permission.
- CVE-2023-42006MEDIUMCVSS 5.5EG 8.42023-12-01
IBM Administration Runtime Expert for i 7.2, 7.3, 7.4, and 7.5 could allow a local user to obtain sensitive information caused by improper authority checks. IBM X-Force ID: 265266.
- CVE-2023-42124HIGHCVSS 7.8EG 5.32024-05-03
Avast Premium Security Sandbox Protection Incorrect Authorization Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Avast Premium Security. An attacker must fi…
- CVE-2023-4227MEDIUMCVSS 6.5EG 5.32023-08-24
A vulnerability has been identified in the ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, which can be exploited by malicious actors to potentially gain unauthorized access to the product. This could lead to security…
- CVE-2023-4242MEDIUMCVSS 4.3EG 4.32023-08-09
The FULL - Customer plugin for WordPress is vulnerable to Information Disclosure via the /health REST route in versions up to, and including, 2.2.3 due to improper authorization. This allows authenticated attackers with subscriber-level pe…
- CVE-2023-42541MEDIUMCVSS 5.3EG 5.32023-11-07
Improper authorization in PushClientProvider of Samsung Push Service prior to version 3.4.10 allows attacker to access unique id.
- CVE-2023-42553MEDIUMCVSS 5.3EG 5.32023-11-07
Improper authorization verification vulnerability in Samsung Email prior to version 6.1.90.4 allows attackers to read sandbox data of email.
- CVE-2023-42569LOWCVSS 3.3EG 4.02023-12-05
Improper authorization verification vulnerability in AR Emoji prior to SMR Dec-2023 Release 1 allows attackers to read sandbox data of AR Emoji.
- CVE-2023-42575MEDIUMCVSS 6.8EG 5.42023-12-05
Improper Authentication vulnerability in Samsung Pass prior to version 4.3.00.17 allows physical attackers to bypass authentication due to invalid flag setting.
- CVE-2023-4269MEDIUMCVSS 4.3EG 4.32023-09-04
The User Activity Log WordPress plugin before 1.6.6 lacks proper authorisation when exporting its activity logs, allowing any authenticated users, such as subscriber to perform such action and retrieve PII such as email addresses.
- CVE-2023-42860MEDIUMCVSS 5.5EG 7.72024-02-21
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. An app may be able to modify protected parts of the file system.
- CVE-2023-43119CRITICALCVSS 9.8EG 9.82023-10-16
An Access Control issue discovered in Extreme Networks Switch Engine (EXOS) before 32.5.1.5, also fixed in 22.7, 31.7.2 allows attackers to gain escalated privileges using crafted telnet commands via Redis server.
- CVE-2023-4317MEDIUMCVSS 4.3EG 4.32023-12-01
An issue has been discovered in GitLab affecting all versions starting from 9.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a user with the Developer role…
- CVE-2023-43508MEDIUMCVSS 6.5EG 6.32023-10-25
Vulnerabilities in the web-based management interface of ClearPass Policy Manager allow an attacker with read-only privileges to perform actions that change the state of the ClearPass Policy Manager instance. Successful exploitation of…
- CVE-2023-43609MEDIUMCVSS 6.9EG 6.92024-02-09
In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could obtain access to sensitive information or cause a denial-of-service condition.
- CVE-2023-4379HIGHCVSS 7.5EG 8.12023-11-09
An issue has been discovered in GitLab EE affecting all versions starting from 15.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Code owner approval was not removed from merge requests when the target branch was updated.
- CVE-2023-43961HIGHCVSS 8.8EG 8.82023-10-25
An issue in Dromara SaToken version 1.3.50RC and before when using Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
- CVE-2023-44154HIGHCVSS 8.1EG 3.52023-09-27
Sensitive information disclosure and manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.
- CVE-2023-44401MEDIUMCVSS 5.3EG 5.32024-01-23
The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQL representations. In versions 4.0.0 prior to 4.3.7 and 5.0.0 prior to 5.1.3, `canView` permission checks are bypassed for ORM data in paginated GraphQL query results wh…
- CVE-2023-44860HIGHCVSS 7.5EG 7.52023-10-06
An issue in NETIS SYSTEMS N3Mv2 v.1.0.1.865 allows a remote attacker to cause a denial of service via the authorization component in the HTTP request.
- CVE-2023-45185HIGHCVSS 8.8EG 7.42023-12-14
IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to execute remote code. Due to improper authority checks the attacker could perform operations on the PC under the user's authority. IB…
- CVE-2023-4532MEDIUMCVSS 4.3EG 4.32023-09-29
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. Users were capable of linking CI/CD jobs of priva…
- CVE-2023-45626HIGHCVSS 7.2EG 5.52023-11-14
An authenticated vulnerability has been identified allowing an attacker to effectively establish highly privileged persistent arbitrary code execution across boot cycles.
- CVE-2023-45793MEDIUMCVSS 5.5EG 5.52024-03-12
A vulnerability has been identified in Siveillance Control (All versions >= V2.8 < V3.1.1). The affected product does not properly check the list of access groups that are assigned to an individual user. This could enable a locally logged …
- CVE-2023-45899HIGHCVSS 7.5EG 7.52023-10-31
An issue in the component SuperUserSetuserModuleFrontController:init() of idnovate superuser before v2.4.2 allows attackers to bypass authentication via a crafted HTTP call.
- CVE-2023-46125MEDIUMCVSS 6.5EG 6.52023-10-25
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its c…
- CVE-2023-46139MEDIUMCVSS 5.7EG 5.02023-10-31
KernelSU is a Kernel based root solution for Android. Starting in version 0.6.1 and prior to version 0.7.0, if a KernelSU installed device is infected with a malware whose app signing block specially constructed, it can take over root priv…
- CVE-2023-4617CRITICALCVSS 10.0EG 10.02024-12-19
Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and "type" fields' values. This issue affe…
- CVE-2023-46241CRITICALCVSS 9.0EG 9.02024-02-21
`discourse-microsoft-auth` is a plugin that enables authentication via Microsoft. On sites with the `discourse-microsoft-auth` plugin enabled, an attack can potentially take control of a victim's Discourse account. Sites that have configur…
- CVE-2023-46244HIGHCVSS 8.8EG 9.12023-11-07
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to write a script in which any velocity content is executed with the right of any other …
- CVE-2023-4658LOWCVSS 3.1EG 3.12023-12-01
An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the `…
- CVE-2023-46753MEDIUMCVSS 5.9EG 7.52023-10-26
An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur for a crafted BGP UPDATE message without mandatory attributes, e.g., one with only an unknown transit attribute.
- CVE-2023-46754MEDIUMCVSS 5.3EG 5.32023-10-26
The admin panel for Obl.ong before 1.1.2 allows authorization bypass because the email OTP feature accepts arbitrary numerical values.
- CVE-2023-46906MEDIUMCVSS 4.9EG 4.92024-01-09
juzaweb <= 3.4 is vulnerable to Incorrect Access Control, resulting in an application outage after a 500 HTTP status code. The payload in the timezone field was not correctly validated.
- CVE-2023-46992HIGHCVSS 7.5EG 7.52023-10-31
TOTOLINK A3300R V17.0.0cu.557_B20221024 is vulnerable to Incorrect Access Control. Attackers are able to reset serveral critical passwords without authentication by visiting specific pages.
- CVE-2023-47037MEDIUMCVSS 4.3EG 4.32023-11-12
We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DA…
- CVE-2023-47090MEDIUMCVSS 6.5EG 6.52023-10-30
NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each…
- CVE-2023-47142HIGHCVSS 7.5EG 7.52024-02-02
IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.10 could allow an attacker on the organization's local network to escalate their privileges due to unauthorized API access. IBM X-Force ID: 270267.
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →